Databases Reference
In-Depth Information
up creating the procedure inside my database—and using the user privi-
leges assigned to my account!
9.9
Summary
In this chapter you learned about a new type of threat—Trojans that allow
attackers to collect information and/or perform actions within the database
continuously, without necessarily connecting to the database. There is an
initial connection to plant the Trojan, but once planted, the Trojan can
often run independently. All this makes the Trojan a little more difficult (or
at least different) to detect, and this chapter showed you the approaches to
use to uncover such attacks or mistakes, including the monitoring of the
actual methods through which the Trojan is injected into the database.
A Trojan is an unauthorized program that runs within your database,
and as such it is an example of the need for protecting data from foreign ele-
ments that may have direct access to the data. This topic is a wider issue,
and the technique used most often to address protection of the data is
encryption (of data at rest, in this case)—the topic of the next chapter.
9.A
Windows Trojans
Windows Trojans usually have two components: a client and a server. The
server is embedded into something the victim trusts, and the victim
unknowingly activates the server component of the Trojan. Once the Trojan
server component is running, it will communicate with the attackers to
inform them of the IP of the victim's machine. The attackers then use the
client component to connect to the server, which normally listens on a cer-
tain port of the victim's machine.
Trojans often attach themselves to other executables, such as
explorer.exe
or
iexplorer.exe
. This ensures that they will be activated
and reactivated no matter how many times the machine is powered down.
Other techniques for ensuring auto-run include use of the autostart
folder, insertion of
load=trojan.exe
and
run=trojan.exe
into the
win.ini
file, or insertion of
Shell=Explorer.exe trojan.exe
into the
system.ini
file. The registry is also a common method used to ensure
that the Trojan will run:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run]"Info"="c: \trojan.exe"
Search WWH ::
Custom Search